New Cloud Security Podcast Video: Detecting and Preventing Stealthy Attacks in Azure

In this new video from the Cloud Security Podcast, the featured guest is Christian Filipov, Principal Security Consultant at Whis Secure. The discussion focuses on the methods attackers use to remain stealthy in Azure environments and how to detect and prevent these activities. Christian begins by explaining the fundamental differences between threat detection in on-premises systems and the cloud. On-premises systems benefit from many years of development in defensive techniques and telemetry collection, allowing for the detection of suspicious activities like the execution of Mimikatz. In contrast, the cloud, particularly Azure, is relatively immature in terms of detecting suspicious activities. Azure has long suffered from a lack of ability to log read events, making it difficult to detect reconnaissance and enumeration activities. Christian highlights three common methods attackers use to remain stealthy in Azure. The first involves using the older Azure AD Graph API, which does not log read events. The second method involves the IBA API, used by the Azure portal to interact with resources. The third method relies on the PIM (Privileged Identity Management) API, which does not natively integrate with Microsoft Graph, limiting the logging of activities. To detect these stealthy activities, Christian recommends using Log Analytics workspaces where logs from various Azure resources are centralized. Organizations can then perform advanced queries to spot suspicious activities. Microsoft Sentinel, a SIEM solution optimized for security operations, can also be used to analyze behaviors and generate alerts. Other tools like Splunk or CSPM (Cloud Security Posture Management) solutions can also be integrated to monitor and detect suspicious events. Christian also discusses Microsoft Defender for Cloud, a suite of integrated security services that offer behavioral analysis and machine learning capabilities to detect suspicious events. Although Defender for Cloud is powerful, it does not yet cover all gaps in logging read events. To prevent these stealthy attacks, Christian emphasizes the importance of conditional access control policies, which can restrict access based on specific criteria such as authorized IP address ranges. He also stresses the need to reduce privileges to the minimum necessary, although this can be difficult to implement in large enterprises. In conclusion, while detection capabilities in Azure are developing, there are ways to detect and prevent stealthy activities. Christian remains optimistic about the future, hoping that Microsoft will continue to address these gaps. For more information, watch the full video at the following address: https://www.youtube.com/watch?v=YiIhCAZCrzk